When New Risks Don't Land the Same Way
In most compliance discussions, emerging risks are treated as if they arrive uniformly across the institution.
They don’t.
They arrive through people - and people respond differently.
When something new enters a bank or a diversified financial institution - whether driven by market structure, product innovation, or new tools - the assumption is often that policies will guide behavior consistently.
In practice, responses diverge almost immediately.
Some employees escalate quickly - erring on the side of caution. Others move forward quietly - confident they understand the boundaries. And many pause somewhere in between… sensing that something may matter, but unsure whether it warrants action.
That variation is not a flaw. It’s a reflection of how people process uncertainty.
As Wharton’s Amy Edmondson has done extensive work on psychological safety. People are far more likely to speak up when they feel safe doing so …when they believe their judgment will be taken seriously, and that raising a concern won’t create unintended consequences. Similarly, Adam Grant, also of Wharton, has conducted extensive research showing how individuals respond to uncertainty in different ways - some holding back out of concern for getting it wrong, others moving forward with confidence in their own judgment.
When those instincts vary across teams… responses vary with them.
In banks and other complex financial institutions, that unevenness shows up in ways that are easy to recognize. Not as a lack of policy. But as inconsistency in how risk is surfaced.
Where behavior diverges
The uneven adoption of AI inside firms is one example of where behavior is diverging.
In some parts of the organization, employees are leaning in - experimenting with tools to summarize research, draft communications, or accelerate analysis. In others, employees are more cautious… uncertain what is permitted, or how usage might be interpreted later. And in still others, activity may be happening quietly - without much visibility at all. These reactions are not just different. They are driven by different instincts.
Fear can lead to hesitation… or silence. An error of omission - where a potential issue is never raised.
Confidence (or over-confidence) can lead to rapid experimentation. An error of commission - where boundaries are tested before they are fully understood.
Most organizations contain both …at the same time. The result is not just a new category of risk. It’s uneven visibility into that risk. And when activity happens quietly, a second dynamic begins to take hold. Behavior that moves faster (even if less visible) can start to be rewarded, while behavior that escalates early may be perceived as slowing things down. Over time, that creates a subtle misalignment between how work gets done and how risk is expected to be governed.
Some signals surface early - with context and clarity. Others surface late, or only after something has already moved forward. And some may not surface at all… until questions are asked later. This is where governance begins to strain. Not because the organization lacks awareness. But because similar situations are not moving through the institution in the same way.
For compliance leaders, this is a familiar challenge, only now appearing in a new context. The objective is not to eliminate variation. That wouldn’t be realistic. The opportunity is to ensure that variation does not turn into fragmentation.
In practice, that often comes down to a few things done well:
- making expectations explicit as new patterns of behavior emerge
- creating clear and consistent escalation paths across teams
- ensuring that decisions are visible beyond the individuals directly involved
When those elements are in place… something important begins to happen.
Employees may still approach situations differently. Some more cautious. Some more proactive. But the organization itself begins to respond in a more consistent way.
Signals arrive with clearer ownership. Escalations follow recognizable paths. Decisions can be understood …not just as isolated moments… but as part of a broader pattern. Over time, that consistency compounds and it becomes easier to see how similar situations are handled. Easier to compare outcomes. And easier to explain decisions when questions arise later (which you know will!)
Without clarity, institutions often find themselves retracing steps - pulling together emails, conversations, and timelines to understand what happened and why. Not because the information does not exist, but because it was never captured in a consistent way.
This does not eliminate risk
But it changes when risk becomes visible… and how clearly it can be understood. The uneven adoption of AI is one example. Crypto is another. Prediction markets.... There will be others. The underlying question remains the same:
When something new enters the organization, does it surface in a way that allows the institution to respond consistently?
Or does it depend on who happens to encounter it first?
(Please note: Originally appeared on TabbFORUM - Where Capital Markets Speak